SEC - Introduction to information security testing
A video for information security testing can be found on panopto.
About service production and security - Valu Digital Oy
About Software Library/Component Quality Metrics
There is lot's of software components and librarys available for developer around the internet. Important question from security point of view is which one of them are trustworthy enough? Commonly software library componets are development and delivered as projects eg. Github and needed source files/packages are easily to download to be integrated as part of development environment. What if some of external sources are affected by "Evil forces"?
Sonatype as company provides material, methods and tools to monitor your component sources as part of your development line
How to detect level of trustworthy and security inside component development project?
About Supply-chain and Open Source
Information security controls
There are many different types of information security controls and they are covered in more depth in advanced courses. These controls are held at the international level by many parties, but there are also Finnish models. In this case, we will get to know only one of the most used CIS controls. You can familiarize yourself with CIS controls here: https://www.cisecurity.org/controls/cis-controls-navigator/, in this project we do not of course go ahead and implement all of this. First of all, let's look at only the requirements of implementation group 1, from which we will extract the most important points for the project in the manufacturing phase. There are even scanners and automation for CIS controls, but these tools are not necessarily effective when packaged in separate parts. I created a list that could have a few points that you could look at with thought:
| CIS Control | CIS safeguard | Asset type | Title |
|---|---|---|---|
| 1 | 1,1 | Devices | Establish and Maintain Detailed Enterprise Asset Inventory |
| 2 | 2,1 | Applications | Establish and Maintain a Software Inventory |
| 5 | 5,1 | Users | Establish and Maintain an Inventory of Accounts |
| 5 | 5,2 | Users | Use Unique Passwords |
| 5 | 5,4 | Users | Restrict Administrator Privileges to Dedicated Administrator Accounts |
| 7 | 7,1 | Applications | Establish and Maintain a Vulnerability Management Process |
| 7 | 7,3 | Applications | Perform Automated Operating System Patch Management |
| 7 | 7,4 | Applications | Perform Automated Application Patch Management |
| 8 | 8,1 | Network | Establish and Maintain an Audit Log Management Process |
| 8 | 8,2 | Network | Collect Audit Logs |
| 8 | 8,3 | Network | Ensure Adequate Audit Log Storage |
| 9 | 9,2 | Network | Use DNS Filtering Services |
| 11 | 11,1 | Data | Establish and Maintain a Data Recovery Process |
| 11 | 11,2 | Data | Perform Automated Backups |
| 11 | 11,3 | Data | Protect Recovery Data |
| 11 | 11,4 | Data | Establish and Maintain an Isolated Instance of Recovery Data |